ansible-vault 2.4 and 2.5 "New Vault Password" prompt when using edit/view/etc commands after running original encrypt operation

[JohnVonNeumann]

ISSUE TYPE

• Bug Report

COMPONENT NAME

ansible-vault

ANSIBLE VERSION

ansible 2.4.0.0
  config file = /home/lw/code/work/ansible/ansible.cfg
  configured module search path = [u'/home/lw/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /home/lw/code/work/ansible/venv-27-ans-24/local/lib/python2.7/site-packages/ansible
  executable location = /home/lw/code/work/ansible/venv-27-ans-24/bin/ansible
  python version = 2.7.12 (default, Nov 19 2016, 06:48:10) [GCC 5.4.0 20160609]

AND

ansible 2.5.0
  config file = /home/lw/code/work/ansible/ansible.cfg
  configured module search path = [u'/home/lw/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /home/lw/code/work/ansible/venv-27-ans/local/lib/python2.7/site-packages/ansible
  executable location = /home/lw/code/work/ansible/venv-27-ans/bin/ansible
  python version = 2.7.12 (default, Nov 19 2016, 06:48:10) [GCC 5.4.0 20160609]

CONFIGURATION

Configuration unchanged, I have run the same manual check across three versions, 2.3, 2.4 and 2.5 with the same config file. It is the default configuration.

OS / ENVIRONMENT

Linux Ubuntu 16.04 Dell XPS 13
I first installed just the devel version (2.5), after finding this bug, I apt-get installed 2.3 and tested it. After this, to duplicate virtualenv situation, I then installed stable-2.4 via pip in a new venv, then finally installed 2.3 in another separate env.

SUMMARY

Files can be encrypted with:
ansible-vault encrypt foobar.yml

But when you use:
ansible-vault edit foorbar.yml

On 2.4 and 2.5, you receive a prompt to set a new password again, even though the file is already encrypted, you can then drag your version back to 2.3, and it wiill return to "normal/expected behaviour".

EDIT: Also, an additional point (this is actually probably important), is that when you are reprompted to create a "new" password for an already encrypted file, if you input the password originally used for encryption on both of the "set a new password prompts", you will be able to access the file, if you try to set a new password however, that will fail.

STEPS TO REPRODUCE

Install from devel, locate yourself in the role directory and create a file you wish to ansible-vault, use ansible-vault encrypt foobar.yml on the file, then try and run ansible-vault edit foobar.yml, this should occur on 2.4 and 2.5, I first ran the encrypt via 2.5, and I can successfully edit it using 2.3, but not any version higher than 2.3

EXPECTED RESULTS

I expected to be able to get a predictable result from ansible-vault, I expect to be able to encrypt, decrypt, edit and view like I can in 2.3

ACTUAL RESULTS

What

(venv-27-ans) lw@RobertOppenheimer:files$ echo "this is a test" > foobar.yml
(venv-27-ans) lw@RobertOppenheimer:files$ cat foobar.yml 
this is a test
(venv-27-ans) lw@RobertOppenheimer:files$ ansible-vault encrypt foobar.yml 
New Vault password: _thisisatest_ 
Confirm New Vault password: _thisisatest_
Encryption successful
(venv-27-ans) lw@RobertOppenheimer:files$ cat foobar.yml 
$ANSIBLE_VAULT;1.1;AES256
37623637346261373237633131376234356433353765633366346561363935666634663035313736
3961383762346666626434366635343461613064383066340a643237636566353533623234633231
36626166376463363365396131623030326564666331353962626433653962663731386336646135
3232393131316630660a376437633162613437326633626536656131653461636266346463353366
6330
(venv-27-ans) lw@RobertOppenheimer:files$ ansible-vault edit foobar.yml 
New Vault password: 

EDIT: Also, an additional point (this is actually probably important), is that when you are reprompted to create a "new" password for an already encrypted file, if you input the password originally used for encryption on both of the "set a new password prompts", you will be able to access the file, if you try to set a new password however, that will fail.

[nrwahl2]

I can reproduce this with ansible-vault edit but not with ansible-vault view as described in the title.

[nrwahl2]

Submitted PR #30493 to fix.

[JohnVonNeumann]

@nrwahl2 Full disclosure, I may not have had an issue with view, I incorrectly extrapolated edit not working, to the rest of them not working. My apologies, next time I will be more careful with my titles and writing out the problem.

[nrwahl2]

@JohnVonNeumann No problem. It only took a minute or two to see what was and what was not working as expected. Basically edit was just put in the wrong group (the one where it prompts for a new password) instead of an alternate group that prompts for an existing password. I moved it to the other one (where view was already) so that should take care of it.

[JohnVonNeumann]

@nrwahl2 Yeah you got onto it quickly! Good work on that, honestly I'm a little bit annoyed at myself for not figuring it out, I would usually look at the code first and see if I could figure it out. Given me a bit of courage to try and submit my own fixes now though, so thank you for that.

[nrwahl2]

Sure thing :) hardest part with Ansible (and presumably other projects) is getting your bearings and figuring out what's where. I still do a lot of "grep -R and hope." Happy future bugfixing.

…

-------- Original Message --------

On Sep 18, 2017, 00:45, Louis Willcock wrote: ***@***.***(https://github.com/nrwahl2) Yeah you got onto it quickly! Good work on that, honestly I'm a little bit annoyed at myself for not figuring it out, I would usually look at the code first and see if I could figure it out. Given me a bit of courage to try and submit my own fixes now though, so thank you for that. — You are receiving this because you were mentioned. Reply to this email directly, [view it on GitHub](#30491 (comment)), or [mute the thread](https://github.com/notifications/unsubscribe-auth/AdEzNchFxSNcbvOdJlY7H5AO2u5C_s0eks5sjgN1gaJpZM4PaW79).

[alikins]

Some notes at: #30493 (comment)

[alikins]

so goal for 'ansible-vault edit existing_encrypted_file.yml' is to be prompted for a single password instead of being prompted for a new password?

Since the file will be encrypted with whatever password is entered at the prompt, current code treats that like a new file (to avoid re-encrypting the file with the typo).

I'm leaning towards the 2.4 behavior being correct (prompt for new) and the 2.3 behavior being wrong (no confirm on entered password).

I guess it depends if not matching the 2.3 behavior exactly is considered a bug.

[alikins]

EDIT: Also, an additional point (this is actually probably important), is that when you are reprompted to create a "new" password for an already encrypted file, if you input the password originally used for encryption on both of the "set a new password prompts", you will be able to access the file, if you try to set a new password however, that will fail.

Hmm, interesting. That seems busted UXD wise. (I can see why the current code does that, but that doesnt seem like the right thing...)

[alikins]

I think I have a way to use the 2.3 UI and auto_prompt, pr soon

[abadger]

2.3 behaviour is correct if and only if edit is used with an existing encrypted file. There can be no typo in the password in that case because the file will not decrypt if there is a typo in the password. For creating a new file with ansible-vault edit, the two password prompt makes sense.

[alikins]

ansible-vault edit nonexistingfile.yml

doesn't work in 2.0/2.1/2.2/2.3/2.4 (shows some variant of 'file not found' error)

[alikins]

(#30491 (comment) confirms that single password prompt of 'edit' (ala 2.3) makes sense)

[nrwahl2]

With this pr, if i try to edit an already encrypted file without --ask-vault-pass, I get: [generic help prompt] (comment on #30493)

YES, but the same behavior occurs with decrypt, view, and rekey, which are in the same group. This is due to ask_vault_pass defaulting to None. That behavior can be changed but is not isolated to edit.

A lot of this hinges upon whether we want or expect ansible-vault edit to be able to create or encrypt a new file. This was not the case in 2.3 and is not the case in devel. On both versions, after entering your password (single prompt on 2.3 and double-prompt on devel), it produces ERROR! [Errno 2] No such file or directory: <FILENAME>. As you noted above. This aligns with the man page:

EDIT
$ ansible-vault edit [options] FILE

  The edit sub-command is used to modify a file which was previously encrypted using
  ansible-vault.

  This command will decrypt the file to a temporary file and allow you to edit the file,>
  saving it back when done and removing the temporary file.

That is what create is for. The only thing edit can do is confirm an existing password, but on devel it prompts as though it can and will set a new one. I would not be opposed to seeing a flag for creates where it prompts for a new password if the file does not yet exist.